[keycloak-user] jboss-cli.sh CLI script setup of subsystem=undertow FAILs at "javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication"?
PGNet Dev
pgnet.dev at gmail.com
Thu Aug 22 14:21:35 EDT 2019
I'm setting up keycloak (8.0.0/head, atm) for ops behind an ssl terminating proxy.
In "standalone.xml" I want to change,
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
to,
<server name="default-server">
<http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" />
<https-listener name="https" socket-binding="https" enable-http2="true" security-realm="UndertowRealm" />
I'd like to do this with scripting CLI, eventually for orchestrated deployment.
checking mgmt access, open/display of gui
/opt/keycloak/bin/jboss-cli.sh \
--connect \
--controller=10.0.0.1:9990 \
--properties=/etc/keycloak/jboss.properties \
--user=mgmtuser \
--password=mgmtpass \
--gui
works fine -- I can read all my controller's data/props/etc.
I've created a script/batch input file
cat /tmp/https.cli
/subsystem=undertow/server=default-server/http-listener=default/:list-clear
/subsystem=undertow/server=default-server/https-listener=https/:list-clear
/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=socket-binding,value=http):write-attribute(name=enable-http2,value=true):write-attribute(name=proxy-address-forwarding,value=false)
/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=socket-binding,value=https):write-attribute(name=enable-http2,value=true):write-attribute(name=security-realm,value=UndertowRealm)
but exec of cli, with that^ input, fails
/opt/keycloak/bin/jboss-cli.sh \
--connect \
--controller=10.0.0.1:9990 \
--properties=/etc/keycloak/jboss.properties \
--user=mgmtuser \
--password=mgmtpass \
--file=/etc/keycloak/https-setup.cli \
Failed to connect to the controller: Unable to authenticate against controller at 10.0.0.1:9990: Authentication failed: all available authentication mechanisms failed:
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication
in 'standalone.xml', the auth mech IS defined,
...
<sasl>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" s
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
>> <mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" se
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
>> <mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
...
WHY is that mech being rejected?
Where are the allowed/available auth "mechanism-name" listed/documented? And, ideally, their usage?
More information about the keycloak-user
mailing list